Singapore Dedicated Server Bandwidth (Uplink) | Network latency | Environment monitoring
Xssist™ Group Pte Ltd Singapore Dedicated Servers Client Testimonials Blog Community Frequently Asked Questions Contact Page
Singapore Dedicated Servers
Control Panel System
Control Panel System
Xssist Blog

Tracking applications which are exploited for mass spam mailing

It can be difficult to trace which account, and which application is being exploited for mass spam mailing. Especially so for shared servers which are used by hundreds of websites, and running php as an apache module. The user which is sending out the spam will be the user running the apache process, i.e. "nobody.

Interestingly, mod_security can be used here. Enable audit for mod_security with the following lines:

SecAuditLog /usr/local/apache/logs/audit.log
SecAuditEngine ON

also add the following:

SecFilterScanPOST On
SecFilterSelective "POST_PAYLOAD" "put unique string from offending mail here eg. LOTTERY"

and you can check /usr/local/apache/logs/audit.log for which URL is being posted to, and the content of the POST. From there, you can decide to suspend the account, disable the application, put the URL into your firewall etc.

and here's a few exim command lines for managing your mail queues:

exim -bp # lists out the mail queue
exim -Mvl <msgid> # shows log for the particular message
exim -Mvb <msgid> # view body of message
exim -Mvh <msgid> # view header of message
exim -Mrm <msgid> # removes message from queue

Lim Wee Cheong
27 May 2007

[Sysadmin] Access to servers via mobile device and ssh
[Sysadmin] RAID 0 scaling on SCSI U320, Bonnie++ 1.93c benchmark results
[Sysadmin] TODO (Apr 2007)
[Sysadmin] Recover from mistakes in /etc/fstab or e2label usage
[Sysadmin] Server overloaded?
[Sysadmin] Server load high: CPU bound
[Sysadmin] Smokeping: deluxe latency measurement tool
[Sysadmin] Smokeping
[Sysadmin] Jul 08 to Oct 08 updates
[Sysadmin] Weak link - downtimes caused by the organic being
[Sysadmin] BIOS upgrades - uniflash - hotflash
[Sysadmin] Sizing for Virtual Private Server (VPS) & SSDs
[Sysadmin] iphone, ipod - bluetooth keyboard - Nokia e51
[Sysadmin] e2label, fdisk, /etc/fstab, mount, linux rescue, rescue disk, CentOS
[Sysadmin] opensuse, fix waiting for mandatory device, eth0, eth1, eth2, eth3
[Sysadmin] mount: could not find filesystem '/dev/root'
[Sysadmin] Parallels Virtuozzo Physical server to Container migration (vzp2v)
[Web hosting] DDOS (Distributed Denial of Service)
[Web hosting] Uptime for dedicated server, VPS and shared server
[Web hosting] Shared, Guaranteed and Dedicated Bandwidth
[Web hosting] Unmetered bandwidth
[Web hosting] Free domains?
[Web hosting] Joomla Scalability
[SPAM handling] Tracking applications which are exploited for mass spam mailing
[Buzzwords] Clusters, Clustering
[Security] Destruction of faulty hard disks
[Storage] Benchmark using iometer on linux
[SSD] Benchmark Intel X25-E and Intel X25-M flash SSDs
[SSD] Intel X25-E 64GB G1, 4KB Random IOPS, iometer benchmark
[SSD] Intel X25-M 160GB G2, 4KB Random IOPS, iometer benchmark
[SSD] Comparison of Intel X25-E G1 vs Intel X25-M G2
[cPanel] ClamAV version has reached End of Life! Please upgrade to version 0.95
[cPanel] How to install Java, ImageMagick and ffmpeg
[Perl] Opening text files for reading, and simple regexp (regular expressions)